By Dr. Robert Ghanea-Hercock, Chief Researcher, BT Security Research Practice

Cyber Security is a funny thing. There are a vast array of technical solutions and security products on the market, yet we still struggle to contain a tsunami of malware and advanced threats. Why? The answer may lie in a deeper understanding of what the true nature of the problem is, specifically that Cyber Security is a Complex Adaptive System. As such it encompasses social, legal, commercial, technical and policy dimensions.

One discussion forum that tries to address this Complex and Adaptive aspect of security is the Adaptive Resilient Computing Systems Workshop (ARCS). This is a series of ongoing meetings that have brought together policy makers and researchers to explore the promise of adaptive and resilient approaches to computer security. The ARCS workshops were set up in 2002 following a number of brain storming sessions that focused on an interdisciplinary scientific approach to the problem. This was in stark contrast to the prevalent practice in the IT community, which perceives security as a rigid physical science, focused on formal encryption protocols, hardware, and firewall design. Unfortunately, this mind set is still prevalent and is failing badly. It fails to accept a number of basic realities; for example:

• A significant, although debated, amount of cyber-crime is due to insiders; (a brilliant example being the insider fraud at the French bank Société Générale in 2008.)
• Human beings have limited memory and are generally stupid, (i.e. they use short passwords.)
• Social Engineering is the best attack method; you just convince the most vulnerable member of the IT department to give you their password. (Mitnick and Simon, 2003.)
• IT staff don’t have the time, or incentive to secure all of the systems.
• Email is very rarely encrypted anyway. (Where most valuable data actually resides.)
• All code has bugs and always will have.
• There is no inside-outside distinction anymore, too many Intranets overlap, or are wireless, and have applications that span multiple networks.

The result is that to address the problem we need to consider a far wider arena of topics, i.e. sociology, psychology, economics, network dynamics, co-evolution mechanisms, and immunology. Neither is this an exhaustive list.

Hence the ARCS workshop idea was born and a broad range of researchers attended the founding event at the Santa Fe Institute, New Mexico, in November 2002. Out of that first meeting a consensus finally emerged that this was the real challenge, by which Cyber Security might be understood, via the theories of adaptation and co-evolution. And perhaps some better methods for alleviating the Cyber Security problem might be discovered.

Note the use of the term alleviated, rather than eliminated. In my personal opinion Cyber space will never be secure. This is a classic model of adaptive co-evolution, as network defences evolve, so too will the attack methods. Worse still, there are provably more attack vectors than potential defence solutions. In simple terms, as the social and economic value of our networks continues to increase, so too will the incentive for people to attack them. We can no more eliminate cyber-crime than we have succeeded in eliminating crime in the physical world. (Even with the advent of CCTV cameras in every UK shopping mall and street.)

Society will have to accept an ever present level of cyber-crime that will perpetually ebb and flow as the software and hardware vendors roll out improved products. The real fun will begin when computers develop a level of awareness that realizes they can also benefit themselves by cheating or hacking other computers! By 2015 imagine your online avatar starts a little dodgy credit card fraud to pay for virtual makeovers for itself. Sorting out the legal implications of that scenario will be truly fascinating.

(The ARCS event occurs on an annual basis, see http://www.arcs-workshop.org for details, or email robert.ghanea-hercock@bt.com)